GNOME Bugzilla – Bug 690177
Use trust-prompt for certificate verification in WebDAV backends
Last modified: 2013-09-14 16:55:59 UTC
Here are patches to use trust-prompt for book and calendar backeds which are using WebDAV extensions. They are tested up to the connection, I didn't get further, because libsoup doesn't provide the certificate, neither gives the error it has with the certificate - see bug #690176 for more information. The patches are not meant for a review, it's to not have lost them before the libsoup is fixed and before eds/evo will be able to depend on its version. My current idea is to drop the "ignore-invalid-cert" property of the WebDAV extension and introduce "ssl-trust", which holds three values, separated by a pipe '|'. Those are: a) last user's choice b) hostname c) SHA1 checksum of the certificate This way the trust will be saved within the ESource, and if either hostname changes, or the checksum changes, then user is re-asked. The temporary accept/reject are causing reset of ssl-trust on the book/calendar backend open, thus user is re-asked as well. I also replaced the checkbox from book/calendar Properties with a button "Unset trust for SSL certificate", which is enabled only if there is any trust stored, thus if a user accidentally rejected the certificate, then he/she can fix it semi-easily.
Created attachment 231510 [details] [review] eds patch for evolution-data-server;
Created attachment 231511 [details] [review] evo patch for evolution;
OK, the patches required a bit more work, same as I faced bug #691399, which slowed the work a bit, but, after all, I've this done with a workaround for stable libsoup. The newer, since 2.41.3+, will show nicer certificate prompt. Created commit 705af70 in eds master (3.7.4+) Created commit 957ff43 in evo master (3.7.4+)
Unfortunately the new logic is insecure: bug 699797.